This morning, my esteemed colleague kcpike posted this tweet in one of our internal chatrooms:

I think it's an interesting question, because it covers a scenario we tend to forget about: folks who are researching problems that they might not have directly in front of them. We've run into folks facing this challenge a fair bit over the years, but mostly in the form of support emails or other forms of private communication, which makes them hard to cite or refer back to... So I figured I'd ask if anyone reading this had a story to share.

Specifically, if you've ever wanted to research a problem on Stack Overflow while operating on a classified network...

...How did you go about doing so?

...What issues did you encounter that wouldn't normally apply to folks reading or asking questions on Stack Overflow?

...Were there additional policy or practical restrictions on how you could make use of the information you obtained this way?

Benefit number one: no copy-pasting allowed! Restrictions like this really should improve your troubleshooting and MCVE-building skills.
– CodeCasterFeb 21 '17 at 17:43

What if no one on classified networks actually manage to read this question? Also, wouldn't it be probable they use tor or some sort of gateway application in order to access from a more anonymous path?
– Travis JFeb 21 '17 at 19:52

26

Also a very real chance that no one who sees it and could respond is allowed to answer such questions publicly, @TravisJ... But hey, when you go fishing it ain't about the catch - it's about the beer you drink while your line's in the water.
– Shog9Feb 21 '17 at 19:59

3

It's a trap! They're trying to work out how to block people from classified networks from using Stack Overflow!
– Andrew GrimmFeb 21 '17 at 21:50

9 Answers
9

Sometimes there's an unclassified computer nearby with internet access. That's the best case, though it's still a pain in the rear if I have to type in a long technical error message.

Sometimes I have to leave the classified lab, which stinks because then I have to write down the error messages and stack traces on a piece of paper, google them, figure out the next command to try, go back in the lab, rinse and repeat.

If I'm not so lucky, I have to call a coworker and have an over-the-phone debugging sesh. That's never pretty.

Worst case is I have an escort-only badge and can't leave the area. In other words, I'm screwed.

(Actually, the worst case was the time I was forbidden from touching any keyboards. I had to dictate Linux shell commands to an intern who had never used Linux. In my head: cd /etc. Out loud: "See-dee etsy. Space etsy. Ack, space slash. Forward slash. The other slash. Yeah. Etsy. Oh, I mean ee-tee-see. long pause ... Sigh. Hit enter." <Cut two more days of torture too gruesome for a Saw movie.>)

Equipment and Media

Phones are disallowed. Nothing wireless, nothing with a camera. They've recently started to make an exception for Bluetooth fitness trackers (fitbits), though not smart watches.

The touch rule prevails: any writable storage that touches a classified network becomes classified. You can usually bring in unclassified laptops if they have no camera and wi-fi is physically disabled.

CDs and DVDs are allowed if you make sure to close the session so they're no longer writable. Sometimes USB thumb drives are allowed if they have read-write toggle switches. Toggling them read-only prevents them from being "contaminated" by the classified network. In short, bringing in data is easy, but taking it out is not.

At my previous job, I was working for one of the 10 largest defense industry companies. I can answer from that perspective.

The bulk of my work was unclassified. That means I did it at my desk, in my cube, in the main part of the building. The computer that I used was on the corporate network, which was connected to the Internet. However, there were times when I had to enter classified parts of our facility and do work in a secure environment. However, the bulk of this work was systems integration and system testing using real-world data. The system had already been designed, coded, unit tested, and some level of unclassified system testing using mocked up data.

In the classified areas, there were some workstations with access to the corporate network. However, these workstations were typical office machines - no development tools. That means no version control, no compilers or debuggers, and so on. These were in a shared table. You would have to lock your classified workstation, get up, and walk to one of these shared computers, use it, and then go back to your classified workstation.

That said, there were some projects where the software is classified, so the work also needs to be done in a classified environment. These people will be doing software development on machines that don't have access to the Internet and may need to physically move to a different part of the room or even a totally different room to have access to the Internet.

From a coding perspective, one of the hardest things in this environment is the strict configuration management of the environment - using specifically approved software packages and even specific versions of those packages. Introducing new software to a secure environment is extremely difficult. Although this is true in any regulated environment - although I'm out of the defense world now, I'm in healthcare and we still have a pretty strict management of the configuration of the environments. Something that I'd like everyone to understand is that if I'm working in one of these environments, I'm probably not using the latest and greatest set of tools and technologies, but what's been approved. Answers directing me to upgrade installed packages or patch any kind of shared configuration won't work.

The second hardest problem isn't just for Stack Overflow, but any time there's a problem. Sometimes, problems only exist in a classified data set. More than once I've passed my full battery of tests, but found that something in the classified data set wasn't right. Sometimes, the data deviated from the specification. Othertimes, I had overlooked something. Having a function and not being able to show people the input to it and output from it is generally difficult. Things like this are hard for Stack Overflow to deal with - this really requires discussion.

As far as policies, nothing really prevented me from using the information on Stack Overflow. But then again, I never copied code from Stack Overflow into my work projects, but used it to better understand the problem and how to approach a solution. I suspect that the current licensing of code on SO would be a problem for major companies to fully grasp. However, that is only an issue if copyrightable code is being dropped into projects. Highly unlikely for these secure projects, unless people are hand-carrying SO answers into classified environments.

If there's anything I'm missing or need to elaborate on, please leave a comment. I'd be more than happy to help any users or Stack Overflow staff better understand working in regulated environments - I spent 5 years in defense and now just over 6 months in healthcare.

"Having a function and not being able to show people the input to it and output from it is generally difficult." In cases like this, I would have imagined the process of creating a MVP would also mean creating the smallest/simplest set of data for input/output (data that in theory wouldn't then be classified). One aspect with that though, would a typical output only be classified because of the input being classified or because of some transformation in the function itself?
– TurnerjFeb 24 '17 at 1:21

3

"Answers directing me to upgrade installed packages or patch any kind of shared configuration won't work." This is probably THE biggest issue I face as well, even working on unclassified internet-connected networks. The configuration control is extremely strict and there is a lot of red tape for approvals. I can't even use GIT for crying out loud because it isn't approved! (and yet Github isn't blocked.....)
– DaveFeb 24 '17 at 1:33

@Turnerj if the original content was classified then anything that uses that content is by definition also classified. If you copy some words from a classified document and paste it into a new doc and move that doc to an unclassified system, that is considered a breach, that system is now also classified and subject to immediate seizure and destruction, and loss of all your data of course. So "theoretically" if classified info is posted to SO then that could render SO subject to destruction of its servers hosting the info, and anywhere it was sent to via the internet.
– DaveFeb 24 '17 at 1:39

2

@Turnerj There's also classification through aggregation -- piecing together enough unclassified info to reveal what should be classified. The whole field of OPSEC is based on that concept -- being vigilant about what "harmless" info you reveal that can be aggregated into something harmful. You can sanitize your classified functions, but the more of them you put online the more likely someone can put 2 and 2 together and figure out more than they should. Not guaranteed to happen but spooks spend a lot of time dumpster diving and whatnot for a reason...
– DaveFeb 24 '17 at 1:42

@Dave, yeah, I assumed if you copy pieces of classified information then it still would be classified. I mean something like, if the classified data was a list of names and locations of people, an MVP would be to try a fake name and location combo to see if the issue still exists.
– TurnerjFeb 24 '17 at 2:42

@Dave Your second comment, that makes sense and I see where that would still be an issue. While I don't deal with classified information, I kinda feel a similar problem when commenting on certain answers where it can show a chain of related topics I am currently working on etc. What I might be building is proprietary though the core of it could be identified by simply what questions/answers I've been looking at.
– TurnerjFeb 24 '17 at 2:44

2

@Turnerj Yes I've had that exact same concern here and in other forums as well. It's something we are taught constantly to be aware of. As to whether everyone actually follows that guidance, no they don't even though they should. I've probably been sloppy myself a few times too. I do believe it is not "highly" likely that such an exploit can happen but the concern is definitely there. Unfortunately such self-censorship can sometimes make it more difficult to get an actually useful answer.
– DaveFeb 24 '17 at 3:27

I formerly worked as a developer/administrator for Oracle database on a military command. I did not use StackExchange in those days, but I did frequently need to use Oracle references on the public internet (MetaLink at the time, now I think they just call it My Oracle Support).

How did you go about doing so?

In my office we had one workstation connected to the non-secure network which could access the public internet. There are rules dictating minimum physical separation from the secure network devices.

Were there additional policy or practical restrictions on how you could make use of the information you obtained this way?

Transferring media between secure and non-secure devices had to be authorized. No copy/pasta. It would not be uncommon to take notes by hand from the non-secure computer and walk back to my desk and work from my notes.

There's really only one answer to this question, with two options. You have to use an internet-connected device that is separate from your classified device. Your options are a company-/government-supplied, internet-connected workstation or your personal workstation/device.

In all cases you are self-restricting the content of your question or search to exclude mention of any process or data that may be classified. That's usually not hard to do, because most questions can be made generic enough. But because it's a separate computer system, you obviously can't copy/paste code snippets to your (classified) work.

SO is terrific for scoping out all levels of technical questions and solving very tough (and even easy) problems. For someone in a restricted space, they just have to find the time to research outside that space. Quite often, it's either before or after the regular work hours.

Having a direct pipeline to all the experts in the SO community is quite wonderful and it is missed when you can't run a quick search. But I know from quite a few colleagues that SO is definitely still used frequently.

Really, you only have one option - a company or government supplied workstation with Internet access. Bringing a personal workstation or device into an area that holds classified material is a serious problem.
– Thomas OwensFeb 21 '17 at 22:48

1

Exactly correct. I was unclear on that point in my post, though I tried to tie that in when I mentioned "before or after regular work hours." I should have explicitly said it had to be outside the space.
– PeterTFeb 21 '17 at 22:50

The most annoying thing that I don't see mentioned so far is that since phones are not allowed in secure facilities (unless you are a 4-star/President, apparently...) even when I can get a UNCLASS workstation I can't do 2FA to log into my various accounts (e.g. Google, to which my SO account is attached). I've seen various coworkers try and do the timeout dance (a friend holds open the door, you check the code number and run inside to your UNCLASS machine and type it in real fast).

I think you can buy TOTP hardware tags, which might well be allowed into a secure facility (at least one where you had an unclassified workstation). Obviously that's still likely to be quite annoying, but it's better than the "timeout dance" :-)
– alastairFeb 22 '17 at 9:48

There is another aspect that I didn't see mentioned -- even UNCLAS networks can be heavily restricted in bizarre ways. I work on the NIPRNet which has access to the Internet. (through a dizzying array of firewalls of course)

Since the firewalls an proxies are being tweaked on a regular basis there can be some odd behavior. For example, StackOverflow may be available one day and down the next, then available again a week later. Currently at work it is available for reading, but login is blocked at the proxy. (??)

Github was the same way. For a very long time it was blocked and then suddenly late last year it opened up. The odd thing here is that we can log into Github while we can't log into StackOverflow. But Github Gists are absolutely banned.

But never fear, next week gists will be available but everything else on Github will be banned. melodramatic sigh

To get around this our unit has begun providing commercial wifi and separate laptops, even allowing BYOD to some extent. But this is only for the wifi, devices on wifi are never allowed to touch the .mil network at all, and devices on NIPRNet have wifi disabled.

But it is fast and gives us a way to research things that the regular network would block. Copy/paste involves writing data to a CD/DVD and sneakernetting it to the computer right next to it.

When I was in the military, I was lucky enough to be in a unit that had a (relatively) high number of computers with internet access. But they where highly monitored.
There was one time someone tried accessing a site about TOR - the next day IT came in from the main base to shut down that access point. Took a few weeks until they agreed to turn it back on.

There was one thing different than most other answers experience in that we where allowed to bring phones it - under the condition that they either put a sticker on the camera which was checked every time we left the base, or install app that shut off the camera plus a few other functions - which also was checked to make sure it was running anytime we left the base (it would report the last time it was turned on so turning it on right before we left would not work).
Of course anytime we went to prod site/had a briefing we had to leave phones outside the room/building.

During training though we had nothing more than an outdated version of MSDN - we where not even allowed phones in the classrooms.